CVE-2026-25896
📋 TL;DR
CVE-2026-25896 is a vulnerability in fast-xml-parser where a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing attackers to shadow built-in XML entities with arbitrary values. This bypasses entity encoding and leads to cross-site scripting (XSS) when parsed XML output is rendered in web applications. Users of fast-xml-parser versions 4.1.3 through 5.3.4 are affected.
💻 Affected Systems
- fast-xml-parser
📦 What is this software?
Fast Xml Parser by Naturalintelligence
⚠️ Risk & Real-World Impact
Worst Case
Full XSS exploitation leading to session hijacking, credential theft, or complete compromise of user accounts in web applications that render parsed XML output.
Likely Case
XSS attacks against users of affected web applications, potentially stealing cookies, session tokens, or performing actions on behalf of authenticated users.
If Mitigated
Limited impact if XML output is properly sanitized or not rendered in web contexts, though the vulnerability still exists in the parser itself.
🎯 Exploit Status
Exploitation requires the attacker to supply malicious XML that is parsed and rendered, but no authentication or special privileges are needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.3.5
Vendor Advisory: https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-m7jm-9gc2-mpf2
Restart Required: No
Instructions:
1. Update fast-xml-parser to version 5.3.5 or later. 2. For npm: run 'npm update fast-xml-parser'. 3. For yarn: run 'yarn upgrade fast-xml-parser'. 4. Verify the update by checking the package.json or running 'npm list fast-xml-parser'.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to reject XML containing DOCTYPE declarations or entities with dots, and sanitize all XML output before rendering in web contexts.
🧯 If You Can't Patch
- Disable DOCTYPE processing in fast-xml-parser configuration if supported, to prevent entity replacement attacks.
- Implement output encoding or use a Content Security Policy (CSP) to mitigate XSS impact when rendering parsed XML.
🔍 How to Verify
Check if Vulnerable:
Check the fast-xml-parser version in your project dependencies. If it is between 4.1.3 and 5.3.4 inclusive, it is vulnerable.Check Version:
npm list fast-xml-parserVerify Fix Applied:
After updating, confirm the version is 5.3.5 or higher and test parsing of XML with malicious DOCTYPE entities to ensure they are properly handled.📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors, spikes in XML input processing, or logs showing DOCTYPE entities with dots in entity names.
Network Indicators:
- Incoming XML payloads containing DOCTYPE declarations with entity names including dots, especially in web application traffic.
SIEM Query:
source="web_logs" AND (xml OR DOCTYPE) AND entity AND "."🔗 References
- https://github.com/NaturalIntelligence/fast-xml-parser/commit/943ef0eb1b2d3284e72dd74f44a042ee9f07026e
- https://github.com/NaturalIntelligence/fast-xml-parser/commit/ddcd0acf26ddd682cb0dc15a2bd6aa3b96bb1e69
- https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.5
- https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-m7jm-9gc2-mpf2
